Yahoo has fallen victim to the world’s biggest data breach. And, as a consequence, so has much of the world.
The company says that 500 million accounts were exposed in a huge hack that it has said was carried out by a state-sponsored attacker.
It is not only the largest hack by the number of accounts lost, but might be one of the most significant of recent years. It threatens to derail the company just as it is being bought by Verizon – a deal that was thought by some to be its saviour.
But far more important than the effect on Yahoo is the effect on the company’s hundreds of millions of users. Here’s what to do if you think you might be one of them – and even if you don’t.
How do I know if I’ve been hacked?
Presume that you have been. Yahoo has said that people who are affected will have been notified – but there’s no guarantee that you will have heard yet, and Yahoo might not even be able to get hold of you if your account is especially old.
Given that 500 million accounts have been compromised, the chance of actually knowing and hearing from Yahoo or anyone else is very low, and the chance of being caught up in it is high. It’s safest just to work as if you’ve already been hacked.
In fact, that’s usually the safest thing to do in general. As the Yahoo hack demonstrated, you might well have already had your data stolen on any of the services that you use, and not know about it. So it’s worth proceeding as if that’s the case – regularly changing passwords, using two-factor authentication, and making sure that you don’t use the same password across different accounts.
But what if I don’t use Yahoo?
It doesn’t really matter, since it’s worth taking all of these precautions anyway. And Yahoo has been going for years, taking in a huge number of products – so you might well have had an account with the company at some point, even if it’s not in use now.
What’s the first thing to do?
Change your password on Yahoo – and then probably change every other password. The risk is hugely increased if you’ve ever used the same password on different sites, but it might be worth changing everything you can just to make sure.
Start with the most vulnerable accounts – internet banking, your email, and so on – and work out. Make sure that they’re all different.
Is there anything more I can do?
Passwords are notoriously terrible – they’re only really used because the variety of alternatives like biometric data haven’t been rolled out yet. But there are some ways to make your stuff more secure.
For any site that uses two factor authentication, you should turn it on. That will usually take the form of signing your phone up to the account – you’ll then receive a text message from the company whenever you try to log in, which will include a code that you’ll have to input into the site. That way, at least theoretically, people won’t be able to log in without physical access to your phone.
Almost every major internet company now supports two factor authentication, and it’s probably not worth trusting anyone that handles sensitive data and still doesn’t.
Another thing that’s worth doing is using a password manager. It can be a bit of a bother since it’s more complicated to log in and requires you to use special software – but it’s far more secure.
Password managers can generated random passwords for each account, meaning that not only will no passwords be shared, they’ll also individually be far more secure. Popular ones include 1Password, Dashlane and LastPass.
What should I do if I think I've been hacked?
Yahoo's own advice, published to Tumblr, made clear that it's worth watching for any suspicious activity in any of your accounts in the coming days. That includes your email and your bank accounts, as well as anything else.
"Review your accounts for suspicious activity," Yahoo told users. "Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information.
"Avoid clicking on links or downloading attachments from suspicious emails."
What is Yahoo going to do?
The company has committed to work hard to protect the people already hacked, and to make sure that it's not hacked again. But it did so in slightly grand language – meaning that it's not really clear exactly how it's going to help.
Bob Lord, Yahoo's chief information security officer, said: "An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries.
"Through strategic proactive detection initiatives and active response to unauthorised access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure."
More important will be what Yahoo is forced to do by users. There is already a discussion about class action law suits and compensation to users.
Does it matter that it appears to have been state-sponsored?
A little, but not really. State-sponsored hacks are in one sense less worrying than those carried out by ordinary criminals, since they are usually being executed with the aim of surveilling one specific group of people, rather than extracting money from every user.
But information – and particularly very valuable information like passwords – has a tendency to get out into the world. So even though Yahoo has claimed the attack was done by a government, it's probably in the hands of other dodgy people now too.
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies